~eau/passwd

284475e51c1a4881b13f0bd9e73aea67381d662a — eau 5 years ago be38b05
I suck in formatting these markdown crap..
1 files changed, 15 insertions(+), 12 deletions(-)

M README.md
M README.md => README.md +15 -12
@@ 3,12 3,12 @@
[![builds.sr.ht status](https://builds.sr.ht/~eau/passwd.svg)](https://builds.sr.ht/~eau/passwd?)

passwd
========
======

A simple golang password hashing package.

Description
-----------
===========

New "password hashing" algorithms (PHC) have emerged in order to counter the increase in hardware assets
available to crack passwords easily when they are stolen.


@@ 36,9 36,9 @@ You can also decide to use your own *Argon2* or *Scrypt* custom parameters with 


How to Use the package
----------------------
======================

# About Hashing Profiles
### **About Hashing Profiles**
It is an attempt to dimension crypto parameters to common use cases (interactive/web auth/blabla) vs file storage

- Default  : ~interactive.


@@ 48,7 48,7 @@ Custom profiles allow a user to define its own hashing parameters if those defau
      


## Public vs Masked parameters
### **Public vs Masked parameters**

Commonly password hashing includes hashing parameters in order to provide interoperability.



@@ 56,7 56,7 @@ if no interoperability is needed (outside your authentication needs) and to make
attacker, you might "mask" your parameters (instead of embedding them in the resulting hash).
      

## Public parameters (common practice)
### **Public parameters (common practice)**

Public parameters will embbed the derivation parameters in the resulting hash.
This allows you to simply use the **`passwd.Compare()`** function against a hash without


@@ 64,7 64,7 @@ the need of a profile object.



## Masked parameters
### **Masked parameters**

Masked parameters will remove the derivation parameters from the resulting hash.
This requires you to **`passwd.NewMasked()`** before calling the profile **`Compare()`**


@@ 76,7 76,7 @@ with your key derivation in order to attack it offline.
**!!! IMPORTANT !!! This is NOT what makes your hash safe, it just makes it slightly harder to attack offline.**     


## Key'ed Hash 
### **Key'ed Hash**


Key'd hashes makes it impossible to bruteforce (unless collision in hashes of course or the secret leaks), 


@@ 147,7 147,7 @@ done.


Status
------
======

This package exclusively uses crypto algorithm implementations shipped in go extended crypto packages (located in `x/crypto/`)



@@ 162,7 162,8 @@ Note: small issue with git.sr.ht that prevents for now to go get subpackages ins
hopefully this helps understanding how to use this package.      


# Changelog
Changelog
=========

* v0.2.0: (MASTER BRANCH / NOT RELEASED/TAGGED THIS IS JUST MASTER).
	* added key'd hash ability (using sha3-256/384 instead sha1/sha256) based on facebook key'd hmac salt/hash using 


@@ 186,7 187,8 @@ hopefully this helps understanding how to use this package.
* v0.1.0: initial release


# Important Notes
Important Notes
===============

bcrypt is just a wrapper to `x/crypto/bcrypt`, only scrypt and argon support masked parameters.



@@ 195,7 197,8 @@ using a modern profile to store new passwords.



# Featuring (because there is always a star in your production..)
Featuring (because there is always a star in your production..)
===============================================================

* [Argon2](https://en.wikipedia.org/wiki/Argon2) for today key stretching.
* [Scrypt](http://en.wikipedia.org/wiki/Scrypt) for key stretching.